From Wikipedia, the free encyclopedia

Credit card with EMV chip. The 3 by 5 mm chip embedded in the card is shown enlarged in the inset. The contact pads on the card enable electronic access to the chip

EMV is a standard for interoperation of IC cards ("Chip cards") and IC capable POS terminals and ATMs, for authenticating credit and debit card payments. The name EMV comes from the initial letters of Europay, MasterCard and VISA, the three companies that originally cooperated to develop the standard. Europay International SA was absorbed into Mastercard in 2002. JCB (formerly Japan Credit Bureau) joined the organization in December 2004, and American Express joined in February 2009. IC card systems based on EMV are being phased in across the world, under names such as "IC Credit" and "Chip and PIN".

The EMV standard defines the interaction at the physical, electrical, data and application levels between IC cards and IC card processing devices for financial transactions. Portions of the standard are heavily based on the IC Chip card interface defined in ISO/IEC 7816.

The system is not compatible with the original Carte Bancairesmart cards systematically deployed in France since 1992. However, the French Carte Bancaire now also uses the EMV standard.

The most widely known implementations of EMV standard are:

VSDC - VISA

MChip - MasterCard

AEIPS - American Express

J Smart - JCB

Visa and MasterCard have also developed standards for using EMV cards in devices to support card-not-present transactions over the telephone and Internet. MasterCard has the Chip Authentication Program (CAP) for secure e-commerce. Its implementation is known as EMV-CAP and supports a number of modes. Visa has the Dynamic Password Authentication (DPA) scheme, which is their implementation of CAP using different default values.

On February 11th 2010, the security behind the EMV PIN system has been demonstrated as broken and vulnerable to a man-in-the-middle attack by a group of computer scientists from Cambridge University. [1]

EMVCo's response is that while such an attack might be theoretically possible, it would be extremely difficult and expensive to carry out successfully. Current compensating controls are likely to detect or limit the fraud. The possible financial gain from the attack is minimal while the risk of a declined transaction or exposure of the fraudster is significant.[citation needed]

Differences and benefits of EMV

The purpose and goal of the EMV standard is to specify interoperability between EMV compliant IC cards and EMV compliant credit card payment terminals throughout the world. There are two major benefits to moving to smart card based credit card payment systems: improved security (with associated fraud reduction), and the possibility for finer control of "offline" credit card transaction approvals. The goals and benefits of EMV: High level standard on terminal↔card API. It reduces the cost and time interval of software development (POS, ATM, HSM,...). The non EMV payment smart card has its own crypto protections (RSA, DES) and is based on local private standards.

EMV financial transactions are claimed to be more secure against fraud than traditional credit card payments that use the data encoded in a magnetic stripe on the back of the card.[citation needed] This is due to the use of cryptographic algorithms such as DES, Triple-DES, RSA and SHA to provide authentication of the card to the processing terminal and the transaction processing center. However, processing is generally slower than a batched or otherwise offline magnetic stripe transaction. The processing time is comparable to online transactions, in which communications delay accounts for the majority of the time, while cryptographic operations take comparatively little time. The supposed increased protection from fraud has allowed banks and credit card issuers to push through a 'liability shift' such that merchants are now liable (as from 1 January 2005 in the EU region) for any fraud that results from transactions on systems that are not EMV capable.[citation needed] For transactions in which an EMV card is used, the cardholder is assumed to be liable unless they can unquestionably prove they were not present for the transaction, did not authorize the transaction, and did not inadvertently assist the transaction through accidental PIN disclosure.

Although not the only possible method, the majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a PIN (Personal Identification Number) rather than signing a paper receipt. Whether or not PIN authentication takes place depends upon the capabilities of the terminal and programming of the card. For more details of this (specifically, the system being implemented in the UK) see Chip and PIN.

Control of the EMV standard

The first version of EMV standard was published in 1995. Now the standard is defined and managed by the public corporation EMVCo LLC.The current members of EMVCo are JCB International, American Express, MasterCard Worldwide, and Visa, Inc. Each of these organizations owns one quarter of EMVCo and has representatives in the EMVCo organization and EMVCo working groups.

Recognition of compliance with the EMV standard (i.e. device certification) is issued by EMVCo following submission of results of testing performed by an accredited testing house.

After passing common EMVCo tests, the software must be certified by payment brands to comply with proprietary EMV implementations such as VISA VSDC, American Express AEIPS, MasterCard MChip, JCB JSmart, or EMV-compliant implementations of non-EMVCo members such as LINK in the UK, or Interac in Canada.

The EMVCo standards have been integrated into the broader electronic payment security standards being developed by the Secure POS Vendor Alliance, with a specific effort to develop a common interpretation of EMVCo's place relative to, and interactions with, other existing security standards, such as PCI-DSS.[2]

List of EMV documents and standards

Since version 4.0, the official EMV standard documents, that define all the components in an EMV payment system, are published as four "books":

Decreased security for PINs

A Chip and PIN machine may be observed by other shoppers, staff, or anyone with access to footage from security cameras (as above).

A PIN alone obtained by an unauthorised person is not enough for fraudulent card use. A card alone without PIN can be used in a merchant's terminal which allows authorisation by magnetic strip—such terminals are increasingly rare in chip and PIN countries—but not in an ATM until 2010. A PIN can, however, be used in conjunction with a cloned magnetic strip or a card which is stolen or misused. Consequently criminals attempt to obtain both card and PIN. A card can be used in a PIN terminal without a PIN using special hardware announced by researchers in February 2010; it is not known if this vulnerability has been exploited by criminals.

Direct observation

It is always possible to find a PIN by watching it being typed in ("shoulder surfing"). Before Chip and PIN this could happen at an ATM in a bank or other relatively secure area. The use of PINs by all merchants accepting cards has increased the opportunities to observe PINs; the environment is more open and public, and more care is needed to shield the PIN when typing it in to a legitimate terminal. PINs obtained in this way are only of use if the card is then stolen, or misused (e.g., by a family member).

Counterfeit PIN pads are sometimes used to log PINs and stripe details in systems which swipe the magnetic stripe, allowing a fraudster to clone the card and know the PIN for use in ATMs that allow magnetic stripe authorisation. This would not work in countries (including the UK) where all ATMs require authorisation by chip rather than magnetic stripe.

Indirect observation

Security cameras at the cash register intended to deter shoplifters and thieves may compromise the security of Chip and PIN by recording customers entering PINs if recordings are not dealt with securely.[3] Again, fraudulent use is possibly only in conjunction with a stolen card or cloned magnetic stripe.

Hidden pinhole camera on cash machines are sometimes used by criminals to harvest PINs, usually in conjunction with card theft. For example, there have been instances where a customer is told by a "friendly bystander" that they have dropped £5 after they have inserted the card and entered the PIN; when they bend down to pick it up, the card is stolen from the machine's slot and used with the PIN obtained by pinhole camera or binocular observation from a distance[citation needed].

Opportunities to harvest PINs and clone magnetic stripes

In addition to the track-two data on the magnetic stripe, EMV cards generally have identical data encoded on the chip which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card which, while not usable in a chip and PIN terminal, can be used, for example, in terminal devices which permit fallback to magstripe processing for foreign customers without chip cards, and defective cards. This attack is possible only where (a) the offline PIN is presented in plaintext by the PIN entry device to the card, where (b) magstripe fallback is permitted by the card issuer and (c) where geographic and behavioural checking may not be carried out by the card issuer.

It was claimed that changes specified to the protocol (specifying different card verification values between the Chip and Magnetic Stripe – the iCVV) rendered this attack ineffective. APACS (the UK payments association) stated that such measures would be in place from January 2008, although tests on cards in February 2008 indicated this may have been delayed.[4] However, there was a very large scale and successful attack which went on for 9 months in 2008 (see below).

Within the UK and Ireland, plaintext offline PIN is the standard mode of operation and cards which support encrypted offline PIN are rare, despite being common in other countries. Permitting magstripe fallback transactions to take place is a risk known to card issuers; it is usually permitted when fraud levels are low, in order to increase profits and avoid antagonising cardholders by allowing transactions which could not otherwise have taken place. When magstripe fallback fraud levels grow, this processing option is disallowed.

Geographic and behavioural fraud analysis tools are in use by many card issuers to track and decline transactions considered suspicious—for example, an EMV card-present transaction at a UK ATM, followed hours later by a magstripe fallback transaction in the Far East.

Successful attacks

Conversation-capturing is the form of attack which was reported to have taken place against Shell terminals in May 2006, when they were forced to disable all EMV authentication in their petrol stations after more than £1 million was stolen from customers.[5]

In October 2008 it was reported that hundreds of Chip and PIN readers for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been expertly tampered with in China during or shortly after manufacture so that details and PINs of credit and debit cards were sent during the 9 months before over mobile phone networks to criminals in Lahore, Pakistan. US National Counterintelligence Executive Joel Brenner said "Previously only a nation state's intelligence service would have been capable of pulling off this type of operation. It's scary". Data were typically used a couple of months after the card transactions to make it harder for investigators to pin down the vulnerability. After the fraud was discovered it was found that tampered-with terminals could be identified as the additional circuitry increased their weight by about 100 g. Tens of millions of pounds sterling are believed to have been stolen.[6] This vulnerability spurred efforts to implement better control of electronic POS devices over their entire life cycle, a practice endorsed by electronic payment security standards like those being developed by the SPVA.[7]

Demonstration of PIN harvesting and stripe cloning

Cambridge University researchers Steven Murdoch and Saar Drimer demonstrated in a February 2008 BBC Newsnight programme one example attack, to illustrate that Chip and PIN is not secure enough to justify passing the liability to prove fraud from the banks onto customers[8][9]. The Cambridge University exploit allowed the experimenters to obtain both card data to create a magnetic stripe and the PIN.

APACS, the UK payments association, disagreed with the majority of the report, saying: "The types of attack on PIN entry devices detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out." [10] They also said that changes to the protocol (specifying different card verification values between the Chip and Magnetic Stripe – the iCVV) would make this attack ineffective from January 2008. The fraud reported in October 2008 to have operated for 9 months (see above) was probably in operation at the time, but was not discovered for many months.

2010: hidden hardware disables PIN checking on stolen card

On 11 February 2010 Murdoch and Drimer's team at Cambridge University announced that they had found "a flaw in chip and PIN so serious they think it shows that the whole system needs a re-write" that was "so simple that it shocked them"[11] A stolen card is connected to an electronic circuit and to a fake card which is inserted into the terminal. Any 4 digits are typed in and accepted as a valid PIN. A team from the BBC's Newsnight programme visited a Cambridge University cafeteria (with permission) with the system, and were able to pay using their own cards (a thief would use stolen cards) connected to the circuit, inserting a fake card and typing in "0000" as the PIN. The transactions were registered as normal, and were not picked up by banks' security systems. A member of the research team said "Even small-scale criminal systems have better equipment than we have. The amount of technical sophistication needed to carry out this attack is really quite low". It is not known if this vulnerability has been exploited.

When approached for comment, several banks each said that this was an industry-wide issue, and referred the Newsnight team to the banking trade association for further comment. According to Phil Jones of the Consumers' Association, chip and PIN has helped to bring down instances of card crime, but many cases remain unexplained "What we do know is that we do have cases that are brought forward from individuals which seem quite persuasive".

Originally bank customers had to prove that they had not been negligent with their PIN before getting redress, but UK regulations in force from 1 November 2009 placed the onus firmly on the banks to prove that a customer has been negligent in any dispute, with the customer given 13 months to make a claim[12]. Murdoch said that "[the banks] should look back at previous transactions where the customer said their PIN had not been used and the bank record showed it has, and consider refunding these customers because it could be they are victim of this type of fraud".

Drimer and Murdoch published a paper with Ross Anderson on the closely related topic of "Failures of Tamper-Proofing in PIN Entry Devices" in IEEE Security and Privacy, November/December 2009[13]